IntSights' Blog

The Dark Side of Acquisitions: How Marriott May Have Avoided Their Data Breach

We’ve all heard about the Marriot data breach, which was publicly announced on November 30, 2018. You can now throw Marriott in with the likes of Yahoo and Equifax, all prominent companies who suffered massive data breaches. However, like most breaches, the source of Marriott’s breach goes back way earlier than its first report, and didn’t even have anything to do with Marriott at the time.

When you acquire a company, you don’t just acquire their assets, you acquire their risks as well. If Marriott took the appropriate precautions and diligence before acquiring Starwood, they may have avoided the second largest data breach of all time.

The Timeline

In 2016, Marriott acquired Starwood Hotels & Resorts Worldwide for $13.6 billion. This acquisition made Marriott the largest hotel chain in the world with more than 6,500 properties in 127 countries around the world and over 1.2 million rooms. Sounds like a good investment, right?

Two years later, on November 30, 2018, Marriott International announced it was the victim of a massive cyber breach that had begun in 2014 and continued until September 8, 2018, when the hotel chain was first alerted of an unauthorized attempt to access its guest reservation database.

The hackers penetrated Starwood’s reservation system in 2014 (before it was acquired by Marriott) and managed to keep the hack undetected for four years. This hack ultimately exposed data of roughly 500 million guests who made reservations at any of Starwood hotel from 2014 until September 2018. In a statement released by Marriott, they announced that:

For the remaining guests, the exposed data may have included credit card information.

A few days after the breach was published, The New York Times reported that hackers affiliated with the Ministry of State Security (“MSS”), China’s civilian foreign intelligence agency, were allegedly responsible for the hack.

According to U.S. government investigators’ allegations, the MSS was executing an extensive intelligence-gathering effort with the goal of developing China’s databases on U.S. citizens.

The Starwood breach was a part of other breaches carried out by the MSS between 2014 and 2015, including the 2015 breach of the Office of Personnel Management (which exposed personal data of 20 million government employees, their family members and applicants), as well as Anthem (79 million records) and CareFirst, which are healthcare insurers.

What’s interesting is that Starwood was victim of a previous malware breach back in 2014 that stole guest credit card data and impacted roughly 50 hotels across the U.S and Canada. There’s no evidence that this breach was connected to the larger breach, but they both began in 2014.

Recent Updates

Update to the Number of Guests Impacted: "Marriott now believes that the number of potentially involved guests is lower than the 500 million the company had originally estimated. Marriott has identified approximately 383 million records as the upper limit for the total number of guest records that were involved in the incident."

Passport Data Now Found to be Stolen: "Marriott now believes that approximately 5.25 million unencrypted passport numbers were included in the information accessed by an unauthorized third party. The information accessed also includes approximately 20.3 million encrypted passport numbers."

Stolen Credit Card Data: "Marriott now believes that approximately 8.6 million encrypted payment cards were involved in the incident. Of that number, approximately 354,000 payment cards were unexpired as of September 2018."

The Impact of Acquisitions

The Marriott breach is the second biggest data breach ever, after Yahoo’s breach. Both of these breaches had significant acquisition impacts, but with two very different outcomes.

In June 2016, Verizon announced that it was planning to acquire Yahoo for $4.8 billion. However, in December 2016, Yahoo disclosed that it had discovered two data breaches that took place in 2013 and 2014, which in total exposed 3 billion accounts and personal information.

Due to the breaches, the two companies came to an agreement that the final price of the acquisition would be $350 million less than the initial offer. In addition, there was a revision to the agreement that was made in order to allocate legal liabilities that arose from the breaches. The new revised agreement made Altaba (Yahoo’s new name) liable for legal expenses derived from the breaches. In June 2017, Verizon completed its $4.48 billion acquisition of Yahoo.

Had Verizon bought Yahoo without knowing about the breaches, it would have made Verizon completely exposed to the legal implications. Perhaps more importantly, people might associate Verizon with the largest breach in history, but instead, everyone talks about “the Yahoo breach”, not “the Verizon breach”. That brand association can have long-lasting impacts and is a marketer’s worst nightmare.

Luckily for Verizon, the breaches were published by Yahoo prior to signing the final agreement. Marriott suffered the opposite fate, where the breach did not originate from one of their systems, but they will forever be associated with and liable for the breach because of their Starwood acquisition.

The Importance of Cyber Due Diligence

The Marriott and Yahoo breaches are great examples of why companies must assess cyber risk before making any investment or acquisition. There are countless hours, calculations, interviews and assessments that go into any due diligence process, but cyber risk assessments are relatively new, yet the impacts can be catastrophic.

Marriott is expected to face up to $1 billion in fines and litigation costs as a result of the breach. Had Marriott discovered this breach prior to its acquisition, it would have likely saved them these fines and litigation costs, given them better negotiating power and cheaper purchase price for Starwood, and perhaps most importantly, would have saved them from being associated with the second largest breach in history (at least until another major breach comes along).

Organizations must have a process in place to assess cyber risk for potential acquisitions and strategic investments. There are many indicators and external sources that companies can use to understand how, when and if an acquisition target might be compromised. Performing these assessments enables companies to improve their due diligence process, have better negotiating power, and ultimately make safer acquisitions.

Further ReadingFind out how threat intelligence and digital risk protection can help you defend against cyber threats.

Leveraging Threat Intelligence: A Complete Guide to Industry and Functional Use Cases

Hadar is a Threat Intelligence Research Analyst at IntSights, focused on the Asian Dark Web with an emphasis on the Chinese Dark Web. She lived in China for 5 years and speaks fluent Chinese. Hadar researches criminal activity across the Asian Dark Web to uncover key intelligence from unique sources. She believes the Asian cyber ecosystem is still mostly unknown and finds it very interesting to explore this secret underworld.

Revolutionizing cybersecurity with the first of its kind enterprise threat intelligence and mitigation platform that drives proactive defense by turning tailored threat intelligence into automated security action.